Firefox Extension Verification May 2019

Most extensions released before May 2019 were signed with a certificate that expired on May 4, 2019. In order for Firefox to use or install an extension with one of the old signatures, it needs a new certificate installed. This is my latest information about how to get that certificate installed as of May 14, 2019. The process is not foolproof; in some number of cases, additional steps may be needed as noted in the Troubleshooting section below.

Currently Supported Versions of Firefox

Firefox 66 users can update to Firefox 66.0.5 or later, and Firefox 60 Extended Support Release users can update to Firefox 60.6.3esr or later. See: Update Firefox to the latest release (on Mozilla Support). If you install Firefox via a repository mananged by your Linux distribution, your update path may be different. On Android, you can update through Google Play.

Other Versions of Firefox

For security reasons, it is recommended to run a current release (Regular, ESR). However, Mozilla understands that not all users are up-to-date and has built hotfix extensions to add the certificate to a range of those versions. You can install the hotfix for your version from the Add-ons site; it may or may not get pushed out automatically.

Click the heading(s) for the version(s) you need to fix, and the details should appear:

Firefox 61 - 65

The hotfix extension can be found on the Add-ons site: Disabled Add-on Fix for Firefox 61 - 65 by Mozilla. After installation, the extension should immediately add the necessary certificate and remove the verification error from validly signed extensions.

Firefox 57 - 60 (not including Firefox 60 ESR)

The hotfix extension can be found on the Add-ons site: Disabled Add-on Fix for Firefox 57 - 60 by Mozilla. After installation, the extension should immediately add the necessary certificate and remove the verification error from validly signed extensions.

Firefox 47 - 56

The hotfix extension can be found on the Add-ons site: Disabled Add-on Fix for Firefox 47 - 56 by Mozilla. After installation, the extension should immediately add the necessary certificate and remove the verification error from validly signed extensions.

Manual Import Method

If a hotfix is not available for your version, you really should update!! The workaround for earlier versions of Firefox, or if the hotfix won't run, continues to be importing the certificate manually, and then triggering a signature reverification.

Step #2: Import the certificate. You do this on the Options/Preferences page. You can open that using any of these methods:

Windows: "3-bar" menu button (or Tools menu) > Options

Mac: "3-bar" menu button (or Firefox menu) > Preferences

Linux: "3-bar" menu button (or Edit menu) > Preferences

Any system: type or paste about:preferences into the address bar and press Enter/Return to load it

Firefox 55 or earlier: In the left column, click Advanced, then on the right side click Certificates. You should see a View Certificates button:

Firefox 56 or later: Type cert into the tiny search box at the top of the page to summon the relevant section. You should see a View Certificates button:

In all versions: Click the View Certificates button to launch the Certificate Manager. In the Certificate Manager, click the Authorities tab, and you should see an Import button:

Click the Import button and point Firefox to the .crt file you downloaded and Open that. Then Firefox should present a dialog with choices for the certificate. Do not check any of the boxes, simply click the OK button.

After importing, the certificate should appear in the Authorities list under Mozilla corporation. You can click OK to close the Certificate Manager.

Step #3: Clear the timestamp for the last signature verification. This will set up Firefox up to re-check your extensions much sooner than it otherwise would check.

(A) In a new tab, type or paste about:config in the address bar and press Enter/Return. Click the button promising to be careful or accepting the risk.

(B) In the search box above the list, type or paste xpi- and pause while the list is filtered

(C) Right-click the app.update.lastUpdateTime.xpi-signature-verification preference and click Reset on the context menu

This screenshot illustrates before and after:

Step #4: Exit/Quit Firefox and start it up again. Within about a minute, Firefox should perform a fresh signature verification with the new certificate and re-enable all of the validly signed extensions.

Troubleshooting

The latest hotfixes should not suffer from the problems of the first one released over the weekend of May 4-5. However, there still could be issues in some cases.

New Version or Hotfix Does Not Install Certificate

Some Extensions Were Re-Enabled, Some Were Not

You can check for extension updates.

Hotfix Suddenly Stopped Working

Firefox saves the new certificate into a specific file in your currently active profile folder (cert8.db or cert9.db). If that file is removed, or if you have more than one profile, the fix will need to be applied again.